Citrix Gateway

Preauthentication policies and profiles

Warning:

Authentication, authorization, and auditing preauthentication policy are deprecated from NetScaler 12.0 build 56.20 onwards and as an alternative, Citrix recommends you to use the nFactor authentication. For more information, see nFactor authentication topic.

You can configure Citrix Gateway to check for client-side security before users are authenticated. This method ensures that the user device establishing a session with Citrix Gateway conforms to your security requirements. You configure client-side security checks by using preauthentication policies specific to a virtual server or globally, as described in the following two procedures.

Preauthentication policies consist of a profile and an expression. You configure the profile to use an action to allow or deny a process to run on the user device. For example, the text file, clienttext.txt, is running on the user device. When the user logs on to Citrix Gateway, you can either allow or deny access if the text file is running. If you do not want to allow users to log on if the process is running, configure the profile so the process is stopped before users log on.

You can configure the following settings for pre-authentication policies:

  • Expression. Includes the following settings to help you to create expressions:
    • Expression. Displays all expressions.
    • Match Any Expression. Configures the policy to match any of the expressions that are present in the list of selected expressions.
    • Match All Expressions. Configures the policy to match all the expressions that are present in the list of selected expressions.
    • Tabular Expressions. Creates a compound expression with the existing expressions by using the OR (||) or AND (&&) operators.
    • Advanced Free-Form. Creates custom compound expressions by using the expression names and the OR (||) and AND (&&) operators. Choose only those expressions that you require and omit other expressions from the list of selected expressions.
    • Add. Creates an expression.
    • Modify. Modifies an existing expression.
    • Remove. Removes the selected expression from the compound expressions list.
    • Named Expressions. Select a configured named expression. You can select named expressions from the menu of expressions already present on Citrix Gateway.
    • Add Expression. Adds the selected named expression to the policy.
    • Replace Expression. Replaces the selected named expression to the policy.
    • Preview Expression. Displays the detailed client security string that is configured on Citrix Gateway when you select a named expression.

Configure preauthentication profile

To configure a preauthentication profile globally by using the GUI

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway and then click Global Settings.
  2. In the details pane, under Settings, click Change pre-authentication settings.
  3. In the Global Pre-authentication settings dialog box, configure the settings:
    1. In Action, select Allow or Deny.

      Denies or allows users to log on after the Endpoint Analysis occurs.

    2. In Processes to be canceled, enter the process.

      This specifies the processes that the Endpoint Analysis plug-in must stop.

    3. In Files to be deleted, enter the file name.

      This specifies the files that the Endpoint Analysis plug-in must delete.

  4. In Expression you can leave the expression ns_true or build an expression for a specific application, such as antivirus or security software and then click OK.

To configure a preauthentication profile by using the GUI

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies > Authentication/Authorization, and then click Pre-Authentication EPA.
  2. In the details pane, on the Profiles tab, click Add.
  3. In Name, type the name of the application to be checked.
  4. In Action, select ALLOW or DENY.
  5. In Processes to be canceled, type the name of the process to be stopped.
  6. In Files to be deleted, type the name of the file to be deleted, such as c:\clientext.txt, click Create, and then click Close.

Note: If a file is to be deleted or a process stopped, users receive a message asking for confirmation. Steps 5 and 6 are optional parameters.

If you use the configuration utility to configure a preauthentication profile, you then create the preauthentication policy by clicking Add on the Policies tab. In the Create Pre-Authentication Policy dialog box, select the profile from the Request Profile menu.

Configuring Endpoint Analysis expressions

Preauthentication and client security session policies include a profile and an expression. The policy can have one profile and multiple expressions. To scan a user device for an application, file, process, or registry entry, you create an expression or compound expressions within the policy.

Types of Expressions

The expression consists of an expression type and the parameters of the expression. Expression types include:

  • General
  • Client security
  • Network based

Add a preconfigured expression to a preauthentication policy

Citrix Gateway comes with pre-configured expressions, called named expressions. When you configure a policy, you can use a named expression for the policy. For example, you want the preauthentication policy to check for Symantec antivirus 10 with updated virus definitions. Create a preauthentication policy and add the expression as described in the following procedure.

When you create a preauthentication or session policy, you can create the expression when you create the policy. You can then apply the policy, with the expression, to virtual servers or globally.

The following procedure describes how to add a preconfigured antivirus expression to a policy by using the configuration utility.

Add a named expression to a preauthentication policy

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies > Authentication/Authorization, and then click Pre-Authentication EPA.
  2. In the details pane, select a policy and then click Open.
  3. Next to Named Expressions, select Anti-Virus, select the antivirus product from the list.
  4. Click Add Expression, click Create, and then click Close.

Configure custom expressions

A custom expression is one that you create within the policy. When you create an expression, you configure the parameters for the expression.

You can also create custom client security expressions to refer to commonly used client security strings. This eases the process of configuring preauthentication policies and also in maintaining the configured expressions.

For example, you want to create a custom client security expression for Symantec antivirus 10 and make sure that the virus definitions are no more than three days old. Create a policy and then configure the expression to specify the virus definitions.

The following procedure shows how to create a client security policy in a preauthentication policy. You can use the same steps in a session policy.

Create a preauthentication policy and custom client security expression

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies > Authentication/Authorization, and then click Pre-Authentication EPA.
  2. In the details pane, click Add. The Create Pre-Authentication Policy dialog box opens.
  3. In Name, type a name for the policy.
  4. Next to Request Profile, click New.
  5. In the Create Authentication Profile dialog box, in Name, type a name for the profile and in Action, select Allow, and then click Create.
  6. In the Create Pre-Authentication Policy dialog box, next to Match Any Expression, click Add.
  7. In Expression Type, select Client Security.
  8. Configure the following:
    1. In Component, select Anti-Virus.
    2. In Name, type a name for the application.
    3. In Qualifier, select Version.
    4. In Operator, select ==.
    5. In Value, type the value.
    6. In Freshness, type 3, and then click OK.
  9. In the Create Pre-Authentication Policy dialog box, click Create, and then click Close.

When you configure a custom expression, it is added to the Expression box in the policy dialog box.

Configure compound expressions

A preauthentication policy can have one profile and multiple expressions. If you configure compound expressions, you use operators to specify the conditions of the expression. For example, you can configure compound expressions to require the user device to run one of the following antivirus applications:

  • Symantec Antivirus 10
  • McAfee Antivirus 11
  • Sophos Antivirus 4

You configure the expression with the OR operator to check for the preceding three applications. If Citrix Gateway detects the correct version of any of the applications on the user device, users are allowed to log on. The expression in the policy dialog box appears as follows:

av_5_Symantec_10 || av_5_McAfeevirusscan_11 || av_5_sophos_4

For more information about compound expressions, see Configuring Compound Expressions.

Bind preauthentication policies

After you create the preauthentication or client security session policy, bind the policy to the level to which it applies. You can bind the preauthentication policies to virtual servers or globally.

Create and bind a preauthentication policy globally

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway and then click Global Settings.
  2. In the details pane, click Change pre-authentication settings.
  3. In the Global Pre-Authentication Settings dialog box, in Action, select Allow or Deny.
  4. In Name, type a name for the policy.
  5. In the Global Pre-authentication settings dialog box, next to Named Expressions, select General, select True value, click Add Expression, click Create, and then click Close.

Bind a preauthentication policy to a virtual server

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway and then click Virtual Servers.
  2. In the details pane, select a virtual server, and then click Open.
  3. In the configure Citrix Gateway Virtual Server dialog box, click the Policies tab, and then click Pre-authentication.
  4. Under Details, click Insert Policy, and then under Policy Name, select the preauthentication policy.
  5. Click OK.

Unbind and remove preauthentication policies

You can remove a preauthentication policy from Citrix Gateway if necessary. Before you remove a preauthentication policy, unbind it from the virtual server or globally.

Unbind a global preauthentication policy

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies > Authentication/Authorization, and then click Pre-Authentication EPA.
  2. In the details pane, select a policy and then in Action, click Global Bindings.
  3. In the Bind/Unbind Pre-authentication Policies to Global dialog box, select a policy, click Unbind Policy, and then click OK.

Unbind a preauthentication policy from a virtual server

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway, and then click Virtual Servers.
  2. In the Configure Citrix Gateway Virtual Server dialog box, click the Policies tab, and then click Preauthentication.
  3. Select the policy and then click Unbind Policy.

When the preauthentication policy is unbound, you can remove the policy from Citrix Gateway.

Remove a preauthentication policy

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway > Policies > Authentication/Authorization, and then click Pre-Authentication EPA.
  2. in the details pane, select a policy and then click Remove.

Set the priority of preauthentication policies

You can have multiple preauthentication policies that are bound to different levels. For example, you have a policy that checks for a specific antivirus application bound to Citrix ADC AAA Global and a firewall policy bound to the virtual server. When users log on, the policy that is bound to the virtual server is applied first. The policy that is bound at Citrix ADC AAA Global is applied second.

You can change the order in which the preauthentication scans occur. To make Citrix Gateway apply the global policy first, change the priority number of the policy bound to the virtual server, giving it a higher priority number than the policy bound globally. For example, set the priority number for the global policy to one and the virtual server policy to two. When users log on, Citrix Gateway runs the global policy scan first and the virtual server policy scan second.

Change the priority of a preauthentication policy

  1. In the configuration utility, on the Configuration tab, in the navigation pane, expand Citrix Gateway and then click Virtual Servers.
  2. In the details pane, select a virtual server, and then click Open.
  3. On the Policies tab, click Pre-authentication.
  4. Under Priority, type the priority number for the policy, and then click OK.
Preauthentication policies and profiles